This is a slightly different twist, but is a cost effective method assuming your firewall supports this: my experience was with Watchguard.
Watchguard firewall have the ability to force people to log in to the firewall before they open a port - typically you would use this if you wanted to restrict web browsing by user, however it works from the outside in as well. So the process was simple: set up a separate username and password on the firewall for a user, and before they can access your OWA, or Terminal Server farm, whatever, they have to authenticate to the firewall. Next, when they wish to access the actual resource they are after they have to use the Windows password etc to do so. It's not pure two factor in that both levels are 'something the user knows' as opposed to something they know and something have and something they are etc, but it's effective, and cheap to implement. If you have multiple sites, take some of those old Windows 2000 Server CD's you have and create a virtual domain controller in a separate Windows 2000 domain at each site (assuming you're licensed of course), and then let the domain controllers sync up so the user only has one firewall password for the whole estate, as opposed to one for each site. Point the firewall authentication at that active directory, and you're done -----Original Message----- From: Richard Stovall [mailto:rich...@gmail.com] Sent: 30 July 2009 03:46 To: NT System Admin Issues Subject: Windows two factor auth quick poll I'm throwing this out into the ether 'cause I really don't know where to start. I'm looking for strong remote access / user authentication for a Windows 2003 functional level domain. RSA SecureID -or- Aladdin SafeWord -or- Entrust IdentityGuard -or- Authenex-ASAS -or- Quest Defender -or- something else? Desired features are: 1) minimal cost (naturally) 2) minimal installation footprint 3) flexibility (different rules depending on where the user is physically located) 4) ease of management 5) upgrade-ready (to future AD versions, etc.) All thoughts and experiences are welcome. Thanks, RS ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
